• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

cannot add _kerberos._kkdcp SRV record

Started by leenmark, May 20, 2015, 05:41:31 AM

Previous topic - Next topic

leenmark

Unable to add _kerberos._kkdcp SRV record

i need to add SRV record for _kerberos._kkdcp.<mydomain> but dns.he.net does not allow me.

WebUI available to me enforces ._protocol, which does not seem to include ._kkdcp as an acceptable option.

I must have such record to get my "Kerberos Key Distribution Center Proxy" implementation going.

Can ._kkdcp pls be added as accepted protocol.

While waiting for such to be achieved, who at dns.he.net can i ask to implement the required SRV record for me?

kcochran

Protocol covers the underlying transport protocol, either TCP or UDP.  I'm not finding any specs adding KKDCP.

MIT's Kerberos docs at http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/Hostnames-for-the-Master-and-Slave-KDCs.html do not list that as a valid protocol either.

leenmark

Txs for your prompt response.

Well, then i am stuck. Microsoft DNS server allows me to create such record (although it does not present _kkdcp in its protocol drop down, i can type it in).

And iOS clearly resolves _kerberos._kkdcp (and not _kerberos._kkdcp._tcp) in its iOS Single-Sign-On implementation.

kcochran

That seems kind of odd, since the OSX source for the Kerberos Helper has the following:

http://opensource.apple.com/source/KerberosHelper/KerberosHelper-151/Source/DeconstructServiceName.c
#define ValidTransportProtocol(X) ( (X)[0] == 4 && (X)[1] == '_' && \
((((X)[2] | 0x20) == 'u' && ((X)[3] | 0x20) == 'd') || (((X)[2] | 0x20) == 't' && ((X)[3] | 0x20) == 'c')) && \
((X)[4] | 0x20) == 'p')


With something like _kkdcp, it doesn't clarify whether it's using TCP or UDP for the transport, unless it's expecting a CNAME to some secondary SRV, or just trying that one, and then failing back to something else.  I can't find any documented use of that record.

snarked

From that code, it looks as if TCP and UDP are the only two protocols supported for SRV records.  Major bummer.  Some people use other things like SCTP or "udp-lite", but those won't work with your OS.

Also, their way of detecting upper/lower case is encoding dependent, which is bad.  It works for ASCII but fails for EBCDIC.  Hope no IBM mainframes ever want to run their code....

kcochran

Eh, it's a define for an OSX-specific Kerberos helper shim, and would be only applicable for that service itself.  I also don't see KKDCP in /etc/protocols anyway which would seem to be where one might expect to find other potential protocols for the _proto field on a SRV record.